Mitre D3FEND explained: A new knowledge graph for cybersecurity defenders

What is D3FEND?

D3FEND is a new schema released by Mitre last month to establish a common language to help cyber defenders share strategies and methods. It is a companion project to the company’s ATT&CK framework.

While complementary, the two projects are very different.

ATT&CK is a knowledgebase with a framework to classify tools, techniques and methods that adversaries use to breach networks. D3FEND is a knowledge graph that can parse vendor claims about mitigation and other countermeasures. It combines the languages and techniques of bioinformatics and “establishes terminology of computer network defensive techniques to illuminate previously unspecified relationships between defensive and offensive methods,” says Peter Kaloroumakis, the principle cyber engineer at Mitre and its creator who has been working on the schema for several years. As mentioned in the press release, “D3FEND enables cybersecurity professionals to tailor defenses against specific cyber threats, thereby reducing a system’s potential attack surface.”

Mitre D3FEND structure

D3FEND is composed of three critical pieces:

• A knowledge graph that summarizes the defensive methods, taken from an analysis of 20 years of prior cybersecurity filings in the US patent database. The graph contains a vocabulary list of terms along with taxonomies. It covers five general tactics that are used to classify each defensive method: harden, detect, isolate, deceive, and evict. The knowledge graph links to source code examples as illustrations of each technique.

• A series of user interfaces to access this data. The graph can be downloaded in different formats including the OWL2 description logic and RDF representations.  While these formats may not be familiar to infosec professionals, they are common languages used in the world of the semantic web and data modeling.

• A way to map these defensive measures to ATT&CK’s model.  

“Our hope is that D3FEND clarifies the specific functionality a product offers and reduces the amount of time spent analyzing vendor marketing materials,” says Kaloroumakis. Unlike ATT&CK, the D3FEND framework isn’t trying to be prescriptive. “We wanted to establish a common language and vocabulary on defensive methods,” he said. Another difference: ATT&CK uses the STIX and TAXII protocols to automate interactions with supporting security software tools, but D3FEND is mostly a manual effort—so far.

How MITRE D3FEND was created

D3FEND is the first comprehensive examination of this data, but assembling it wasn’t without its difficulties. Using the patent database as original source material for this project was both an inspiration and a frustration. Kaloroumakis got the idea when he had to review patent filings when he was CTO of Bluvector.io, a security company, before he came to Mitre. “There is an incredible variance in technical specifics across the patent collection,” he says. “With some patents, little is left to your imagination, but others are more generic and harder to figure out.”

He was surprised at the thousands of cybersecurity patent filings he found. “Some vendors have more than a hundred filings,” he said and noted that he has not cataloged every single cybersecurity patent in the collection. Instead, he has used the collection as a means to an end, to create the taxonomies and knowledge graph for the project. He also wanted to emphasize that just because a technology or a particular security method is mentioned in a patent filing doesn’t mean that this method actually finds its way into the actual product.

Let’s examine just one of the cataloged methods in the graph, URL analysis. A security analyst would determine if a URL is benign or malicious by analyzing its components, such as the domain name and port number used, along with the context of where this URL comes from, such as an email or a web link. The method links to an original Sophos patent and shows the various ATT&CK techniques such as spear phishing and drive-by attacks.

Beginnings of a Mitre D3FEND ecosystem

The Mitre effort was paid for by the NSA and is available to anyone to embrace and extend. Since the announcement of D3FEND, at least one open-source project has already been put together that helps translate methods back and forth with ATT&CK methods using Python scripts and queries. Mitre expects other third-party integrations to happen soon, just as ATT&CK has created its own ecosystem of tools vendors.

D3FEND isn’t the only effort of its kind, but it is trying to be the most comprehensive. “To date, there appears to be no comprehensive public analysis of the cybersecurity patent corpus for the purpose of developing a knowledge graph of cyber countermeasures,” Kaloroumakis says.

NIST has been behind the Cyber Defense Matrix for several years, which is both more abstract and more specific. “Existing cybersecurity knowledgebases do not explain with enough fidelity and structure what these countermeasures do to meet these needs,” says Kaloroumakis. He calls this separating the defensive measures from the mechanics, or how they actually work. The goal is to figure out if vendors are using different ways to try to solve the same problem, such as verifying a particular (and potentially malicious) code segment. He thinks that his project will help IT managers to find functional overlap in their current security product portfolios and guide any changes in their investments in a particular functional area, as well to help make them better defensive decisions to project their cyber infrastructure.